Gandcrab 5.2 spreads via fake CDC emails warning of pandemic influenza

Scammers spread Gancrab 5.2 ransomware via suspicious emails that claim to come from the Centers for Disease and Control Prevention

A new campaign against malware has spread into emails that distribute a well-known variant of the infamous ransomware software – Gandcrab v5.2.^[1] The malicious activity was discovered for the first time about a week ago and announced by a cybersecurity company, MyOnlineSecurity.^[2]

Cyber ​​criminals use fake CDC emails that provide users with information about a new influenza pandemic that has spread recently. Criminals imitate to be centers of control and prevention of diseases^[3] in order to make the scam credible.

The fake message is accompanied by the address line "Centers for Disease Control and Prevention" and another line for the subject claiming "Warning for Pandemic Influenza". People are strongly advised to open the document attached to the message. According to the sender, this will prevent the flu from spreading further. However, those who have the eye for details will notice that the email message is not from CDC but from [email protected].^[4]

Once the ransomware software is downloaded, it will appear in the C: \ Windows \ Temp folder section.

The fake email message contains the following text:

Please focus on this special announcement!

Currently, influenza activity is severely elevated. The US Center for Disease Control and Prevention (CDC) estimates that in the last four months, the situation has deteriorated substantially: nearly 20,000 sick people have already been killed by the flu and more 220,000 were hospitalized urgently.

DOC Directions

To prevent the spread of the disease and prevent people from getting the flu, the US Center for Disease Control and Prevention has developed a list of guidelines. You can find a DOC file with this list as an attachment to the email. It is recommended that you read it carefully and follow the instructions to prevent the disease. With care of your health, Communication Department of CDC.

More interested? unsubscribe

In addition, users launch Gandcrab v5.2 by accessing the malicious program "Pandemic influenza warning.doc" and modifying it in viewing mode.^[5] The ransomware software is then downloaded from hxxp: //205.185.125.109/samanta.exe and its malicious load is transferred to the C: Windows \ Temp folder of the Windows machine.

After that, the file encryption virus will launch its unique encryption algorithm and start locking the files by adding a random extension to each document. For example, the encrypted data might appear to be: picture.jpg.UGHTRR or picture.jpg.YRSTN, and so on. A ransom message is permanently displayed. This extension also includes the file extension: UGHTRR-MANUAL.txt.

Always review the emails you have received to make sure that no ransomware software is hidden inside.

If you are a victim of this malware campaign and Gancrab v5.2 has encrypted all your files, we suggest that you do not panic and look for options. Scammers often request that a particular amount be transferred to the Bitcoin account of the criminals account if the user wishes to receive a decryption tool for locked files.

Some hackers send the payment details directly into the ransom message, while others want to download the Tor browser and view all payment details. However, experts do not recommend paying ransom, as scammers often defraud the victims and never return the decipherer, resulting in a loss of money.

Better to use data recovery software recommended by security experts. In addition, take all possible security measures to prevent similar attacks by ransomware in the future. The most important thing to do is to always carefully check the emails and attachments you receive.

Be aware that the authors of GandCrab launch several Malspam campaigns (not surprisingly, because the malware is distributed via the RaaS system), and Centers for Disease Control is perhaps not the only user that hackers are trying to describe to incite users to open the malicious file. For example, scammers had previously encouraged office workers to open the alleged evacuation card, while the "Love You" campaign focused on Japanese victims.